New Backdoor “Maggie” Targets Microsoft SQL Servers with Focus on APAC Region

The new “Maggie” malware is a backdoor capable of bruteforcing admin logins, currently targeting Microsoft SQL servers worldwide.


On October 4, 2022, DCSO CyTec security researchers reported the technical details of a new backdoor malware targeting Microsoft SQL servers they dubbed “Maggie.” According to researchers, the Maggie backdoor can bruteforce logins to other MSSQL servers and add a new hardcoded backdoor user after bruteforcing administrator logins. Researchers did not investigate if and how infected servers are used by the threat actors after successful infection and did not provide any attribution for the backdoor campaign.


According to researchers, more than 250 servers have been infected by Maggie so far, with a particular focus on the Asia-Pacific (APAC) region. Currently, no information is publicly available on the specific targets of the backdoor. South Korea, India, Vietnam, China, and Taiwan were the most targeted countries by volume. Any organizations operating MSSQL servers, especially in the APAC region, are encouraged to ingest the indicators of compromise (IOCs) included in this report and to remain particularly vigilant regarding operations and activity on MSSQL servers.

Technical Details

According to researchers, “The malware comes in the form of an ‘Extended Stored Procedure’ DLL, a special type of extension used by Microsoft SQL servers. Once loaded into a server by an attacker, it is controlled solely using SQL queries and offers a variety of functionality to run commands, interact with files, and function as a network bridge head into the environment of the infected server.”

After installation, the backdoor includes multiple commands to query for system information; interact with files and folders; execute programs; and various network-related functionality such as: enabling TermService, running a Socks5 proxy server, or setting up port forwarding.

The backdoor is reportedly capable of simple TCP redirection, which allows it to function as a network bridge head from the internet to any IP address reachable by the infected server. The backdoor then redirects incoming connections to a designated IP and port if the source IP matches a user-specified IP mask. This enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of the Maggie backdoor.


DCSO CyTec security researchers provided the following IOCs:

SHA256Maggie ESP DLLs
SHA256Maggie ESP DLLs
SHA256Maggie ESP DLLs
SHA256Maggie ESP DLLs
SHA256RAR SFX with Maggie
SHA256RAR SFX with Maggie
http://58[.]180[.]56[.]28/sql64[.]dllURLITW URLs
http://106[.]251[.]252[.]83/sql64[.]dllURLITW URLs
http://183[.]111[.]148[.]147/sql64[.]dllURLITW URLs
http://xw[.]xxuz[.]com/VV61599[.]exeURLITW URLs
http://58[.]180[.]56[.]28/vv61599[.]exeURLITW URLs


DCSO CyTec security researchers provided the following MITRE ATT&CK tactics, techniques, and procedures (TTPs):

T1110Brute Force
T1090Connection Proxy

More Recent Blog Posts